Tuesday, November 13, 2007

How Is Your Sensitive Data Encrypted In The Database?

Do you store encrypted data? If you do then how is it encrypted? Do you use the built in capabilities of SQL Server 2005/2008. If you answered yes to the last question then here is another question. What would happen if someone stole the hard drive or even the whole database server? Could they decrypt that data easily with the stored procedures which you have written? Do these store procedures use the DecryptByPassphrase function?

So you probably think that I am crazy and no one would ever steal a database server. Wrong! C I Host a Chicago-based co-location got robbed 4 times since 2005. One company lost 20 servers in the latest heist. You can read more details about that here: http://www.theregister.co.uk/2007/11/02/chicaco_datacenter_breaches/

Without going into too much detail, this is what we are doing. Our data is encrypted by a corporate crypto tool which can only be accessed from within the DMZ. Keys are created for specific machines; these keys can easily be revoked at any time. Even if you would somehow steal our web and database server you would still be out of luck because of that. The data is encrypted by the tool and stored encrypted in the DB.

Identity theft will cost you in the future.
The Identity Theft Enforcement and Restitution Act of 2007 has been introduced and was scheduled for debate on November 1st; the Senate and the House still have to vote on it. This is a bill to amend title 18, United States Code, to enable increased federal prosecution of identity theft crimes and to allow for restitution to victims of identity theft.

Follow the developments here:
S. 2168: Identity Theft Enforcement and Restitution Act of 2007

No comments: